SecureWatch Enterprise Deployment GuideΒΆ
Enterprise-grade SIEM platform deployment with high availability and resilience
π― OverviewΒΆ
This guide provides comprehensive instructions for deploying SecureWatch SIEM platform in enterprise environments with enterprise-grade resilience, monitoring, and scalability.
ποΈ Architecture Summary (v2.1.0 Consolidated)ΒΆ
βββββββββββββββββββββββ¬βββββββ¬ββββββββββββββββββββββββββββββββββ
β Component β Port β Status β
βββββββββββββββββββββββΌβββββββΌββββββββββββββββββββββββββββββββββ€
β Frontend β 4000 β β
Production Ready β
β Log Ingestion β 4002 β β
Multi-format processing β
β Search API β 4004 β β
KQL engine operational β
β Correlation Engine β 4005 β β
Real-time correlation β
β Auth Service β 4006 β β
OAuth, JWT, MFA ready β
β Query Processor β 4008 β β
Async job processing β
β Analytics Engine β 4009 β β
Consolidated dashboards β
β MCP Marketplace β 4010 β β
Integration ready β
β HEC Service β 8888 β β
Splunk-compatible β
βββββββββββββββββββββββ΄βββββββ΄ββββββββββββββββββββββββββββββββββ
π Quick Production DeploymentΒΆ
PrerequisitesΒΆ
Docker & Docker Compose
Node.js 18+ & pnpm
4GB+ RAM, 20GB+ storage
SSL certificates (for production)
1. Enterprise StartupΒΆ
# Clone and setup
git clone https://github.com/itrimble/SecureWatch.git
cd SecureWatch
pnpm install
# Production deployment with enterprise features
./start-services.sh
2. Verify DeploymentΒΆ
# Check all service health
curl http://localhost:4000/api/health
# Verify live data pipeline
curl http://localhost:4004/api/v1/search/logs | jq 'length'
# Check database connectivity
curl http://localhost:4002/db/health
π‘οΈ Enterprise FeaturesΒΆ
Resilience & Error HandlingΒΆ
Graceful degradation to mock data when backends fail
Circuit breaker patterns with automatic recovery
Comprehensive error handling with structured logging
Health monitoring with real-time status endpoints
Automatic restart capabilities for failed services
Monitoring & ObservabilityΒΆ
Service health endpoints (
/health) for all componentsStructured JSON logging with correlation IDs
Real-time metrics collection and reporting
Dependency health checks (database, Redis, external APIs)
Performance monitoring with response time tracking
Security & AuthenticationΒΆ
OAuth 2.0 integration ready for enterprise providers
JWT token validation with proper expiration handling
Role-based access control (RBAC) framework in place
CORS configuration for secure cross-origin requests
Rate limiting to prevent abuse and DDoS
π Current Operational StatusΒΆ
β Live Data PipelineΒΆ
Mac Agent: Collecting from 15+ macOS log sources
Processing Rate: 15 events/batch, 0% error rate
Database: 3,000+ entries with time-series optimization
Uptime: 8+ hours continuous operation
Success Rate: 100% log ingestion, 0% data loss
π Data Sources ActiveΒΆ
Authentication events (login, sudo, authorization)
Security framework (malware detection, code signing)
Process execution (exec calls, kernel events)
Network activity (connections, firewall)
System events (install logs, crash reports)
Hardware events (Bluetooth, USB activity)
π³ Production InfrastructureΒΆ
Docker Compose ServicesΒΆ
services:
postgres: # TimescaleDB for time-series log storage
redis-master: # Primary cache and session storage
redis-replica: # Redis replication for high availability
elasticsearch: # Full-text search and log indexing
kafka: # Message queue for log streaming
kibana: # Log visualization and dashboards
zookeeper: # Kafka coordination
Resource RequirementsΒΆ
Environment |
CPU |
Memory |
Storage |
Network |
|---|---|---|---|---|
Development |
2 cores |
4GB |
20GB |
100Mbps |
Staging |
4 cores |
8GB |
100GB |
1Gbps |
Production |
8+ cores |
16GB+ |
500GB+ |
10Gbps |
π§ Advanced ConfigurationΒΆ
Environment VariablesΒΆ
# Database Configuration
DB_HOST=localhost
DB_PORT=5432
DB_NAME=securewatch
DB_USER=securewatch
DB_PASSWORD=securewatch_dev
# Redis Configuration
REDIS_HOST=localhost
REDIS_PORT=6379
REDIS_PASSWORD=securewatch_dev
# API Configuration
SEARCH_API_URL=http://localhost:4004
LOG_INGESTION_URL=http://localhost:4002
CORS_ORIGIN=http://localhost:4000,http://localhost:4001
# Authentication (when enabled)
SUPABASE_URL=your_supabase_url
SUPABASE_ANON_KEY=your_supabase_key
JWT_SECRET=your_jwt_secret
SSL/TLS ConfigurationΒΆ
For production deployment, configure SSL:
server {
listen 443 ssl;
server_name your-domain.com;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
location / {
proxy_pass http://localhost:4000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
π Scaling & PerformanceΒΆ
Horizontal ScalingΒΆ
Database sharding by organization or time range
Read replicas for search and analytics workloads
Load balancing across multiple frontend instances
Microservice replication for high availability
Performance TuningΒΆ
Database indexing for time-series queries
Redis caching for frequently accessed data
Connection pooling for database efficiency
Query optimization with proper indexing strategies
π¨ Monitoring & AlertingΒΆ
Health Check EndpointsΒΆ
# Platform overview
GET /api/health
# Individual services
GET /health (Search API - port 4004)
GET /health (Log Ingestion - port 4002)
GET /db/health (Database connectivity)
Metrics CollectionΒΆ
Key metrics to monitor:
Request latency (p95 < 100ms target)
Error rates (< 0.1% target)
Database connections (monitor pool usage)
Memory usage (< 80% of available)
Disk space (alert at 85% full)
Alerting RulesΒΆ
# Example Prometheus alerting rules
groups:
- name: securewatch
rules:
- alert: ServiceDown
expr: up{job="securewatch"} == 0
for: 30s
- alert: HighErrorRate
expr: rate(http_requests_total{status=~"5.."}[5m]) > 0.01
for: 2m
- alert: DatabaseConnections
expr: pg_stat_activity_count > 80
for: 1m
π Security HardeningΒΆ
Production Security ChecklistΒΆ
Enable HTTPS with valid SSL certificates
Configure proper CORS origins
Enable authentication and authorization
Set up proper firewall rules
Configure rate limiting
Enable audit logging
Set up secret management
Configure container security
Enable network segmentation
Set up intrusion detection
Access ControlΒΆ
Network: Restrict access to internal networks
Application: Implement RBAC with proper roles
Database: Use dedicated service accounts
Monitoring: Secure admin interfaces
π Deployment ChecklistΒΆ
Pre-deploymentΒΆ
Infrastructure provisioned and tested
SSL certificates obtained and configured
Environment variables configured
Database schema initialized
Network security configured
Monitoring and alerting set up
DeploymentΒΆ
Run
./start-services.shsuccessfullyVerify all health checks pass
Test frontend accessibility
Validate log ingestion pipeline
Confirm search functionality
Test authentication flow
Post-deploymentΒΆ
Monitor service logs for errors
Verify performance metrics
Test backup and recovery procedures
Document configuration changes
Train operations team
Set up maintenance schedules
π TroubleshootingΒΆ
Common IssuesΒΆ
Services wonβt start:
# Check infrastructure
docker compose -f docker-compose.dev.yml ps
# Check logs
tail -f /tmp/search-api.log
tail -f /tmp/log-ingestion.log
tail -f /tmp/frontend.log
Database connection issues:
# Test database connectivity
docker exec securewatch_postgres pg_isready -U securewatch -d securewatch
# Check database logs
docker logs securewatch_postgres
High resource usage:
# Monitor resource usage
docker stats
# Check service health
curl http://localhost:4000/api/health | jq '.'
π Support & MaintenanceΒΆ
Log LocationsΒΆ
Service logs:
/tmp/{service-name}.logInfrastructure logs:
docker logs {container-name}Application logs: Available via API endpoints
Backup ProceduresΒΆ
Database: Daily automated backups via TimescaleDB
Configuration: Version controlled in Git
Logs: Retained per data retention policy
Update ProceduresΒΆ
Test updates in staging environment
Create backup of current state
Deploy updates using rolling deployment
Verify functionality with health checks
Monitor for issues post-deployment
π Your SecureWatch SIEM platform is enterprise-ready!
For additional support or enterprise features, consult the main documentation or contact the development team.